A Survey on Modality Characteristics, Performance Evaluation Metrics, and Security for Traditional and Wearable Biometric Systems

Biometric research is directed increasingly towards Wearable Biometric Systems (WBS) for user authentication and identification. However, prior to engaging in WBS research, how their operational dynamics and design considerations differ from those of Traditional Biometric Systems (TBS) must be understood. While the current literature is cognizant of those differences, there is no effective work that summarizes the factors where TBS and WBS differ, namely, their modality characteristics, performance, security and privacy. To bridge the gap, this paper accordingly reviews and compares the key characteristics of modalities, contrasts the metrics used to evaluate system performance, and highlights the divergence in critical vulnerabilities, attacks and defenses for TBS and WBS. It further discusses how these factors affect the design considerations for WBS, the open challenges and future directions of research in these areas. In doing so, the paper provides a big-picture overview of the important avenues of challenges and potential solutions that researchers entering the field should be aware of. Hence, this survey aims to be a starting point for researchers in comprehending the fundamental differences between TBS and WBS before understanding the core challenges associated with WBS and its design

ECG Biometric Authentication: A Comparative Analysis

Robust authentication and identification methods become an indispensable urgent task to protect the integrity of the devices and the sensitive data. Passwords have provided access control and authentication, but have shown their inherent vulnerabilities. The speed and convenience factor are what makes biometrics the ideal authentication solution as they could have a low probability of circumvention. To overcome the limitations of the traditional biometric systems, electrocardiogram (ECG) has received the most attention from the biometrics community due to the highly individualized nature of the ECG signals and the fact that they are ubiquitous and difficult to counterfeit. However, one of the main challenges in ECG-based biometric development is the lack of large ECG databases. In this paper, we contribute to creating a new large gallery off-the-person ECG datasets that can provide new opportunities for the ECG biometric research community. We explore the impact of filtering type, segmentation, feature extraction, and health status on ECG biometric by using the evaluation metrics. Our results have shown that our ECG biometric authentication outperforms existing methods lacking the ability to efficiently extract features, filtering, segmentation, and matching. This is evident by obtaining 100% accuracy for PTB, MIT-BHI, CEBSDB, CYBHI, ECG-ID, and in-house ECG-BG database in spite of noisy, unhealthy ECG signals while performing five-fold cross-validation. In addition, an average of 2.11% EER among 1,694 subjects is obtained

ECG Biometric Recognition: Review, System Proposal, and Benchmark Evaluation

Electrocardiograms (ECGs) have shown unique patterns to distinguish between different subjects and present important advantages compared to other biometric traits, such as difficulty to counterfeit, liveness detection, and ubiquity. Also, with the success of Deep Learning technologies, ECG biometric recognition has received increasing interest in recent years. However, it is not easy to evaluate the improvements of novel ECG proposed methods, mainly due to the lack of public data and standard experimental protocols. In this study, we perform extensive analysis and comparison of different scenarios in ECG biometric recognition. Both verification and identification tasks are investigated, as well as single- and multi-session scenarios. Finally, we also perform single- and multi-lead ECG experiments, considering traditional scenarios using electrodes in the chest and limbs and current user-friendly wearable devices. In addition, we present ECGXtractor, a robust Deep Learning technology trained with an in-house large-scale database and able to operate successfully across various scenarios and multiple databases. We introduce our proposed feature extractor, trained with multiple sinus-rhythm heartbeats belonging to 55,967 subjects, and provide a general public benchmark evaluation with detailed experimental protocol. We evaluate the system performance over four different databases: i) our in-house database, ii) PTB, iii) ECG-ID, and iv) CYBHi. With the widely used PTB database, we achieve Equal Error Rates of 0.14% and 2.06% in verification, and accuracies of 100% and 96.46% in identification, respectively in single- and multi-session analysis. We release the source code, experimental protocol details, and pre-trained models in GitHub to advance in the field.Comment: 11 pages, 4 figure

Multi-Factor Authentication: A Survey

Today, digitalization decisively penetrates all the sides of the modern society. One of the key enablers to maintain this process secure is authentication. It covers many different areas of a hyper-connected world, including online payments, communications, access right management, etc. This work sheds light on the evolution of authentication systems towards Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). Particularly, MFA is expected to be utilized for human-to-everything interactions by enabling fast, user-friendly, and reliable authentication when accessing a service. This paper surveys the already available and emerging sensors (factor providers) that allow for authenticating a user with the system directly or by involving the cloud. The corresponding challenges from the user as well as the service provider perspective are also reviewed. The MFA system based on reversed Lagrange polynomial within Shamir’s Secret Sharing (SSS) scheme is further proposed to enable more flexible authentication. This solution covers the cases of authenticating the user even if some of the factors are mismatched or absent. Our framework allows for qualifying the missing factors by authenticating the user without disclosing sensitive biometric data to the verification entity. Finally, a vision of the future trends in MFA is discussed.Peer reviewe

Seamless Multimodal Biometrics for Continuous Personalised Wellbeing Monitoring

Artificially intelligent perception is increasingly present in the lives of every one of us. Vehicles are no exception, (...) In the near future, pattern recognition will have an even stronger role in vehicles, as self-driving cars will require automated ways to understand what is happening around (and within) them and act accordingly. (...) This doctoral work focused on advancing in-vehicle sensing through the research of novel computer vision and pattern recognition methodologies for both biometrics and wellbeing monitoring. The main focus has been on electrocardiogram (ECG) biometrics, a trait well-known for its potential for seamless driver monitoring. Major efforts were devoted to achieving improved performance in identification and identity verification in off-the-person scenarios, well-known for increased noise and variability. Here, end-to-end deep learning ECG biometric solutions were proposed and important topics were addressed such as cross-database and long-term performance, waveform relevance through explainability, and interlead conversion. Face biometrics, a natural complement to the ECG in seamless unconstrained scenarios, was also studied in this work. The open challenges of masked face recognition and interpretability in biometrics were tackled in an effort to evolve towards algorithms that are more transparent, trustworthy, and robust to significant occlusions. Within the topic of wellbeing monitoring, improved solutions to multimodal emotion recognition in groups of people and activity/violence recognition in in-vehicle scenarios were proposed. At last, we also proposed a novel way to learn template security within end-to-end models, dismissing additional separate encryption processes, and a self-supervised learning approach tailored to sequential data, in order to ensure data security and optimal performance. (...)Comment: Doctoral thesis presented and approved on the 21st of December 2022 to the University of Port

Towards trustworthy computing on untrustworthy hardware

Historically, hardware was thought to be inherently secure and trusted due to its obscurity and the isolated nature of its design and manufacturing. In the last two decades, however, hardware trust and security have emerged as pressing issues. Modern day hardware is surrounded by threats manifested mainly in undesired modifications by untrusted parties in its supply chain, unauthorized and pirated selling, injected faults, and system and microarchitectural level attacks. These threats, if realized, are expected to push hardware to abnormal and unexpected behaviour causing real-life damage and significantly undermining our trust in the electronic and computing systems we use in our daily lives and in safety critical applications. A large number of detective and preventive countermeasures have been proposed in literature. It is a fact, however, that our knowledge of potential consequences to real-life threats to hardware trust is lacking given the limited number of real-life reports and the plethora of ways in which hardware trust could be undermined. With this in mind, run-time monitoring of hardware combined with active mitigation of attacks, referred to as trustworthy computing on untrustworthy hardware, is proposed as the last line of defence. This last line of defence allows us to face the issue of live hardware mistrust rather than turning a blind eye to it or being helpless once it occurs. This thesis proposes three different frameworks towards trustworthy computing on untrustworthy hardware. The presented frameworks are adaptable to different applications, independent of the design of the monitored elements, based on autonomous security elements, and are computationally lightweight. The first framework is concerned with explicit violations and breaches of trust at run-time, with an untrustworthy on-chip communication interconnect presented as a potential offender. The framework is based on the guiding principles of component guarding, data tagging, and event verification. The second framework targets hardware elements with inherently variable and unpredictable operational latency and proposes a machine-learning based characterization of these latencies to infer undesired latency extensions or denial of service attacks. The framework is implemented on a DDR3 DRAM after showing its vulnerability to obscured latency extension attacks. The third framework studies the possibility of the deployment of untrustworthy hardware elements in the analog front end, and the consequent integrity issues that might arise at the analog-digital boundary of system on chips. The framework uses machine learning methods and the unique temporal and arithmetic features of signals at this boundary to monitor their integrity and assess their trust level

Recent Advances in Biometric Technology for Mobile Devices

International audienceThe prevalent commercial deployment of mobile biometrics as a robust authentication method on mobile devices has fueled increasingly scientific attention. Motivated by this, in this work we seek to provide insight on recent development in mobile biometrics. We present parallels and dissimilarities of mobile biometrics and classical biometrics, enumerate related benefits and challenges. Further we provide an overview of recent techniques in mobile biometrics, as well as application systems adopted by industry. Finally, we discuss open research problems in this field

Semi­Automatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things

Internet of Things (IoT) is expanding at a global level and its influence in our daily lives is increasing. This fast expansion, with companies competing to be the first to deploy new IoT systems, has led to the majority of the software being created and produced without due attention being given to security considerations and without adequate security testing. Software quality and security testing are inextricably linked. The most successful approach to achieve secure software is to adhere to secure development, deployment, and maintenance principles and practices throughout the development process. Security testing is a procedure for ensuring that a system keeps the users data secure and performs as expected. However, extensively testing a system can be a very daunting task, that usually requires professionals to be well versed in the subject, so as to be performed correctly. Moreover, not all development teams can have access to a security expert to perform security testing in their IoT systems. The need to automate security testing emerged as a potential means to solve this issue. This dissertation describes the process undertaken to design and develop a module entitled Assessing Correct Integration of Security Mechanisms (ACISM) that aims to provide system developers with the means to improve system security by anticipating and preventing potential attacks. Using the list of threats that the system is vulnerable as inputs, this tool provides developers with a set of security tests and tools that will allow testing how susceptible the system is to each of those threats. This tool outputs a set of possible attacks derived from the threats and what tools could be used to simulate these attacks. The tool developed in this dissertation has the purpose to function as a plugin of a framework called Security Advising Modules (SAM). It has the objective of advising users in the development of secure IoT, cloud and mobile systems during the design phases of these systems. SAM is a modular framework composed by a set of modules that advise the user in different stages of the security engineering process. To validate the usefulness of the ACISM module in real life, it was tested by 17 computer science practitioners. The feedback received from these users was very positive. The great majority of the participants found the tool to be extremely helpful in facilitating the execution of security tests in IoT. The principal contributions achieved with this dissertation were: the creation of a tool that outputs a set of attacks and penetration tools to execute the attacks mentioned, all starting from the threats an IoT system is susceptible to. Each of the identified attacking tools will be accompanied with a brief instructional guide; all summing up to an extensive review of the state of the art in testing.A Internet das Coisas (IoT) é um dos paradigmas com maior expansão mundial à data de escrita da dissertação, traduzindo­se numa influência incontornável no quotidiano. As empresas pretendem ser as primeiras a implantar novos sistemas de IoT como resultado da sua rápida expansão, o que faz com que a maior parte do software seja criado e produzido sem considerações de segurança ou testes de segurança adequados. A qualidade do software e os testes de segurança estão intimamente ligados. A abordagem mais bemsucedida para obter software seguro é aderir aos princípios e práticas de desenvolvimento, implantação e manutenção seguros em todo o processo de desenvolvimento. O teste de segurança é um procedimento para garantir que um sistema proteja os dados do utilizador e execute conforme o esperado. Esta dissertação descreve o esforço despendido na concepção e desenvolvimento de uma ferramenta que, tendo em consideração as ameaças às quais um sistema é vulnerável, produz um conjunto de testes e identifica um conjunto de ferramentas de segurança para verificar a susceptibilidade do sistema às mesmas. A ferramenta mencionada anteriormente foi desenvolvida em Python e tem como valores de entrada uma lista de ameaças às quais o sistema é vulnerável. Depois de processar estas informações, a ferramenta produz um conjunto de ataques derivados das ameaças e possíveis ferramentas a serem usadas para simular esses ataques. Para verificar a utilidade da ferramenta em cenários reais, esta foi testada por 17 pessoas com conhecimento na área de informática. A ferramenta foi avaliada pelos sujeitos de teste de uma forma muito positiva. A grande maioria dos participantes considerou a ferramenta extremamente útil para auxiliar a realização de testes de segurança em IoT. As principais contribuições alcançadas com esta dissertação foram: a criação de uma ferramenta que, através das ameaças às quais um sistema IoT é susceptível, produzirá um conjunto de ataques e ferramentas de penetração para executar os ataques mencionados. Cada uma das ferramentas será acompanhada por um breve guia de instruções; uma extensa revisão do estado da arte em testes.The work described in this dissertation was carried out at the Instituto de Telecomunicações, Multimedia Signal Processing – Covilhã Laboratory, in Universidade da Beira Interior, at Covilhã, Portugal. This research work was funded by the S E C U R I o T E S I G N Project through FCT/COMPETE/FEDER under Reference Number POCI­01­0145­FEDER030657 and by Fundação para Ciência e Tecnologia (FCT) research grant with reference BIL/Nº11/2019­B00701